Cryptanalysis of an anonymous wireless authentication and

Cryptanalysis of an anonymous wireless
authentication and conference key distribution
scheme
Qiang Tang and Chris J. Mitchell
Information Security Group
Royal Holloway, University of London
Egham, Surrey TW20 0EX, UK
{qiang.tang, c.mitchell}@rhul.ac.uk
19th February 2005
Abstract
In this paper we analyse an anonymous wireless authentication and con-
ference key distribution scheme which is also designed to provide mobile
participants with user identiﬁcation privacy during the conference call. The
proposed scheme consists of three sub-protocols: the Call Set-Up Authenti-
cation Protocol, the Hand-Oﬀ Authentication Protocol, and the Anonymous
Conference Call Protocol. We show that the proposed scheme suﬀers from
a number of security vulnerabilities.
1 Introduction
In [1], Wang proposed an anonymous wireless authentication and conference
key distribution scheme, which enables authentication between mobile users
and base stations (also between mobile users and the mobile switching center
(MSC)) and secure conference key distribution in the mobile system. The
proposed scheme is claimed to possess the following advantages:
1. It provides the mobile user with user identiﬁcation privacy which can
prevent outsiders from tracing the location of a mobile.
2. It provides anonymity for the mobile users in the conference call so
that one participant in the conference does not know who else has
joined the conference call.
1
Wang [1] claimed that the proposed scheme is secure and achieves all the
intended properties; however our analysis demonstrates that a number of
security vulnerabilities exist in the proposed protocols: (1) In the Call Set-
Up Authentication Protocol a malicious base station can cheat the mobile
user; (2) In the Hand-Oﬀ Authentication Protocol a malicious base station
can impersonate a valid base station; (3) In the Anonymous Conference
Call Protocol a participant can determine whether or not another mobile
user has taken part in the conference call, so that the anonymity property
is undermined.
The remainder of this paper is organised as follows. In Section 2, we review
the proposed authentication and key distribution scheme. In Section 3, we
describe vulnerabilities in the proposed protocols. In Section 4, we conclude
the paper.
2 Review of the proposed scheme
In the proposed scheme three kinds of entity are involved in the protocols,
namely the MSC, the base stations, and the mobile users. The scheme is
designed for use by the subscribers of the same MSC. The MSC has a
number of service domains, each uniquely enabled by a base station. The
mobile user communicates with the base station via a radio link, in which
we suppose the data is transferred in plain-text and an eavesdropper can
intercept the message. The base station communicates with the MSC via a
wire-line link, which is assumed to be a channel secure against both passive
and active adversaries. The mobile user cannot communicate with the MSC
directly; communications between them must be forwarded by a base station.
The proposed scheme consists of the following three sub-protocols:
1. Call Set-Up Authentication Protocol: This protocol is used to achieve
mutual authentication between the user and the MSC. It also enables
authentication between the mobile user and the base station.
2. Hand-Oﬀ Authentication Protocol: This protocol is used for re-authentication
when the user moves to a new service domain during a session.
3. Anonymous Conference Call Protocol: This protocol is used for the
anonymous establishment of a conference key among the participating
users.
The three protocols apply to a closed group of at most m + 1 members for
some m, the members of which are written MU0 , MU1 , · · ·. The size of m
is constrained by the size of other system parameters, notably the length of
2
the prime p (as described below). The Call Set-up Authentication Protocol
describes how mobile user MUi joins such a group. User MU0 is a ‘special’
member, responsible for initiating every conference call. In an initialisation
phase (prior to executing any of the protocols making up the scheme), the
MSC chooses a large prime number p, and an integer l with a bit length of
at least 250.
Then the MSC sets n = m+l and computes two vectors: A = (a1 , a2 , · · · , an )
and λ = (λ1 , λ2 , · · · , λn ), which satisfy:
n
p> (aj λj mod p)
j=1
and
ai λi > (aj λj mod p)
1≤j≤n,j=i
for any i, 1 ≤ i ≤ n. The MSC computes yi = λi ai mod p and sets (λi , yi )
to be the secret keys for MUi . The vector A and the prime p are the public
keys, where ai is the public key of MUi . MUi keeps (λi , yi ) secret inside
the handset. In the initialisation phase, when mobile user MUi registers at
the MSC, the MSC and MUi agree and store a random check number RCi,0
(the second subscript indicates the number of protocol rounds completed by
MUi since registration). The MSC chooses an RSA key pair, publishes the
public key e = 3 and the modulus n, and keeps the private key d secret. A
collision-resistant hash function h is agreed by all the entities.
In the following description, || represents concatenation, Ek (m) represents
encrypting m with secret key k using a symmetric encryption algorithm,
⊕ represents the bit-wise exclusive or operation, and IDX represents the
identity of entity X.
2.1 Call Set-Up Authentication Protocol
This protocol is initiated by a mobile user during conference call establish-
ment. Without loss of generality, we suppose this is the (v + 1)-th (v ≥ 0)
round of the protocol for MUi .
1. MUi selects a nonce Ksi , encrypts (IDMUi ||RCi,v ||Ksi ) using the public
key of the MSC: i.e. AUMUi = (IDMUi ||RCi,v ||Ksi )3 mod n, and then
sends AUMUi to the Base Station BS for the service domain where
MUi is located. Ksi will be used as the secret key between MUi and
the MSC during the conference call.
2. After receiving AUMUi , BS forwards AUMUi and its identity IDBS to
the MSC.
3
3. When the MSC receives AUMUi and IDBS , it decrypts AUMUi to obtain
(IDMUi ||RCi,v ||Ksi ). Then the MSC checks whether IDMUi is in its
database and that the received RCi,v is equal to the value stored in
its database. If both checks succeed, the MSC accepts MUi as a legal
subscriber; otherwise, the MSC terminates the protocol.
The MSC selects a new random check number RCi,v+1 for MUi to
use in the next run of this protocol. Then the MSC computes N R =
RCi,v ⊕ RCi,v+1 and generates a secret key SBS = (h(IDBS ||RCi,v ) ·
RCi,v )d mod n. Then the MSC sends {SBS , N R} to BS.
4. After receiving the message, BS chooses a random number r and com-
putes:
XBS = g −3r mod n, and YBS = SBS · g r mod n
Then BS sends {IDBS , XBS , YBS , N R} to MUi .
5. After receiving {IDBS , XBS , YBS , N R} from BS, MUi veriﬁes:
(YBS )3 XBS
mod n = h(IDBS ||RCi,v ) mod n
RCi,v
If the veriﬁcation succeeds, MUi regards BS as a valid base station;
otherwise, MUi terminates the protocol.
MUi computes RCi,v+1 = N R⊕RCi,v and replaces RCi,v with RCi,v+1 .
MUi also computes and stores VBS = h(IDBS ||RCi,v ) for future use
when a hand-oﬀ occurs.
6. MUi sends an acknowledgment to BS, and BS forwards the acknowl-
edgment to the MSC.
7. After receiving the acknowledgment from MUi , the MSC replaces
RCi,v in the database with RCi,v+1 and stores SBS for later use in
hand-oﬀ.
2.2 Hand-Oﬀ Authentication Protocol
During an established conference call (suppose it is the (v + 1)-th (v ≥ 0)
conference call for MUi ), MUi might move from the service domain of BS to
the service domain of a diﬀerent Base Station BS . In this case, the following
hand-oﬀ protocol is required for a new mutual authentication between MUi
and BS .
1. BS generates a nonce nB and sends it to both MUi and the MSC.
2. The MSC determines (by some means) the new base station, say BS ,
for MUi , and computes SBS = (h(IDBS ))d SBS mod n. The MSC then
computes and sends EKsi (nB ) and SBS to BS .
4
3. MUi sends EKsi (nB ) to BS . Here we assume that the routing mecha-
nism used in the network enables MUi to determine the identity of its
new base station.
4. BS compares the two values of EKsi (nB ) received from MUi and the
MSC. If they match, BS regards MUi as a valid subscriber; otherwise,
BS terminates the protocol.
5. After receiving SBS , BS further chooses a random number r , and
computes:
XBS = g −3r mod n
YBS = SBS · g r mod n
Then BS sends {IDBS , XBS , YBS } to MUi .
6. After receiving {IDBS , XBS , YBS } from BS , MUi veriﬁes:
(YBS )3 XBS
mod n = VBS · h(IDBS ) mod n
RCi,v
If the veriﬁcation succeeds, MUi regards BS as a valid base station.
After the successful protocol execution, MUi stores VBS = VBS · h(IDBS )
for future authentication. The MSC stores SBS for future use.
2.3 Anonymous Conference Call Protocol
Suppose some set of k (k < m) users wish to establish a conference key.
Without loss of generality, suppose the users are MU1 , MU2 , · · ·, MUk .
They perform the following protocol.
1. MU0 issues a participation list for the conference call, and constructs
the binary vector R = (r1 , · · · , rm ), where ri = 1 if and only if MUi is
to be a member of the conference, i.e. in this case r1 = · · · = rk = 1
and rk+1 = · · · = rm = 0. MU0 chooses a vector (w1 , · · · , wl ), each
element of which is randomly chosen from {0, 1}. MU0 computes:
m l
Z= ai ri + am+i wi
i=1 i=1
and puts
AUMU0 = (IDMU0 ||IDMU1 || · · · ||IDMUk ||RCi,v ||Ks0 )3 mod n
Then MU0 sends {Z, AUMU0 } to the MSC via a base station.
5
2. MU0 and MSC authenticate each other using the Call Set-Up Authen-
tication Protocol. If the protocol is successfully completed, the MSC
broadcasts Z to all the mobile users in the same group. The MSC
decrypts AUMU0 to obtain the identities of the users participating in
the conference.
3. When MUi (1 ≤ i ≤ m) receives the broadcast message, it can com-
pute Ri = λi Z mod p, where λi is the private key of MUi . If Ri < yi ,
then MUi can deduce that r = 0 and hence MUi is excluded from this
call; otherwise, we must have r = 1 and hence MUi is included in this
conference call.
As a result, the users MU1 , MU2 , · · · , MUk will know that they are
included in the conference call. Each MUj (1 ≤ j ≤ k) computes
(IDMUj ||RCj,w ||Ksj )3 mod n and sends it to the MSC (for the sim-
plicity of our description, we assume that this is the (w +1)-th (w ≥ 0)
round of the protocol for MUj ). Notice that this is the ﬁrst message of
the Call Set-Up Authentication Protocol between MUj and the MSC.
4. After receiving (IDMUj ||RCj,w ||Ksj )3 mod n, the MSC decrypts it to
obtain IDMUj , RCj,w , and Ksj . Then the MSC checks whether the
identity IDMUj is identical to one of the identities he stored in Step 2.
If the check fails, the user is rejected. Once MUj is accepted, MUj and
the MSC proceed through the rest of the Call Set-Up Authentication
Protocol. If the protocol is successfully completed, IDMUj and the
MSC will share a common secret key Ksj .
5. After ﬁnishing the mutual authentication process with all the partici-
pants, the MSC uses the coordinate points (IDMU0 , Ks0 ) and (IDMUj , Ksj )
(1 ≤ j ≤ k) to construct a Lagrange interpolating polynomial f (z) of
degree k over GF (p). The MSC computes Kc = f (0) as the common
session key for the conference. Then the MSC selects k distinct co-
ordinate points (at , bt ), t = 1, 2, · · · , k from the polynomial f (z) and
broadcasts them to the participating users.
6. On receiving (at , bt ), t = 1, 2, · · · , k, MUj (1 ≤ j ≤ k) reconstructs
the interpolating polynomial f (z) using (at , bt ), t = 1, 2, · · · , k and
his own coordinate pair (IDMUj , Ksj ), and then computes Kc = f (0).
MU0 can computes Kc in the same way.
3 Security Vulnerabilities
Wang (see, for example, [1]) claimed that the proposed scheme is secure and
achieves all the intended properties; however we show that the protocols
suﬀer from a number of vulnerabilities. It should be noted that our analysis
6
has been carried out theoretically, and we do not provide implementation
details of the attacks.
• First observe that the Call Set-Up Authentication Protocol involves
encrypting a data string by simply applying the RSA primitive (i.e.
modular exponentiation), without any preliminary padding or mask-
ing. This has, for a number of years, been deemed very bad practice
for a variety of reasons. It is generally accepted that use of the RSA
primitive for encryption requires that data be ﬁrst masked and padded
by some means, e.g. OAEP [2].
• Since the acknowledgement sent by the mobile user to the base station
in the Call Set-Up Authentication Protocol is not authenticated, an
attacker can easily mount a denial of service attack. To deploy an
attack, the attacker just needs to substitute the value N R with N R
(N R = N R) in step 5 of the protocol. As a result MUi will then lose
synchronism with the MSC, and all subsequent instances of the Call
Set-Up Authentication Protocol for MUi will fail.
• In some circumstances it is possible for a malicious base station to
impersonate the MSC to cheat the mobile user in the Call Set-Up
Authentication Protocol. For simplicity, we show the attack assuming
that MUi executes the protocol on two consecutive occasions via the
same base station BS.
In the Call Set-Up Authentication Protocol the value NR is transferred
in plain-text, and so BS can record the value of N R used in every
round of the protocol. Because there is no authentication for the
nonce N R transported in step 4 of the protocol, then in the (v + 2)-th
(v ≥ 0) round of the protocol BS can replace N R with RCi,v ⊕RCi,v+1 ,
which equals the N R used in the previous round. The protocol will
successfully end, and MUi will store the check number as RCi,v+2 =
RCi,v+1 ⊕ RCi,v ⊕ RCi,v+1 = RCi,v . In the (v + 3)-th round of the
protocol BS can impersonate the MSC to MUi as follows.
1. MUi selects a nonce Ksi , then computes and sends:
AUMUi = (IDMUi ||RCi,v+2 ||Ksi )3 mod n
to BS. Ksi will be used as the secret key between MUi and the
MSC.
2. After receiving AUMUi , BS sets the value of N R to be a random
number and puts SBS = (h(IDBS ||RCi,v )·RCi,v )d mod n, which is
the same as the value used the (v +1)-th round of the Call Set-Up
7
Authentication Protocol. Then BS chooses a random number r
and computes:
XBS = g −3r mod n
YBS = SBS · g r mod n
Then BS sends {IDBS , XBS , YBS , N R} to MUi .
3. After receiving {IDBS , XBS , YBS , N R} from BS, MUi veriﬁes:
(YBS )3 XBS
mod n = h(IDBS ||RCi,v+2 )
RCi,v+2
Since RCi,v+2 = RCi,v , the veriﬁcation will succeed and the im-
personation attack is successfully completed.
It should be noted that any malicious party equipped with the means
to emulate a base station and intercept traﬃc sent and received by a
mobile user could launch this attack by impersonating BS.
• Suppose, during the conference call, MUi transfers from the service do-
main of BS to the service domain of BS . Then any attacker equipped
with the means to emulate a base station, who has intercepted the
hand-oﬀ authentication history over the radio link, can deploy an im-
personation attack on the next occasion that MUi transfers to a do-
main serviced by another base station BS .
Suppose the intercepted history data of MUi is {IDBS , XBS , YBS } in
step 5 of the Hand-Oﬀ Authentication Protocol. Then the attacker can
impersonate BS to execute the Hand-Oﬀ Authentication Protocol as
follows.
1. The attacker generates a nonce nB and sends it to MUi .
2. MUi sends EKsi (nB ) to the attacker.
3. The attacker uses {IDBS , XBS , YBS } to compute:
YBS = YBS = SBS · g r mod n
XBS = h(IDBS ) · XBS = h(IDBS ) · g −3r mod n
The attacker then sends {IDBS , XBS , YBS } to MUi .
4. After receiving {IDBS , XBS , YBS } from the attacker, MUi ver-
iﬁes:
(YBS )3 XBS
mod n = VBS · h(IDBS ) mod n
RCi,v
and the impersonation attack succeeds.
8
• Although the the Anonymous Conference Call Protocol is designed to
provide anonymity for the participants, we show that it is possible for
a participant, MUi say, to ﬁnd out whether another user has taken
part in the conference. The attack is based on the assumption that
the attacking mobile user knows the identity of the victim user and
can track him.
Suppose MUi tracks MUj and intercepts all the messages to and from
MUj . When MUj transfers from the service domain of BS1 to the
service domain BS2 , if MUj has taken part in a conference call then
MUi can intercept the nB and EKsj (nB ) from the Hand-Oﬀ Authen-
tication Protocol of MUj . Then MUi computes the secret key Ksj ∗
between MUj and the MSC (this is meaningful only if MUil has
taken part in the conference) using the the interpolating polynomial
f (z), which belongs to the conference call that MUi has taken part
in. MUi then knows that MUj has taken part in the conference if
EKsj (nB ) = EKs (nB ).
∗
j
Furthermore, if MUi discovers that MUj has taken part in the same
conference call, then, using Ksj , MUi can impersonate MUj when MUj
transfers to another service domain.
4 Conclusion
In this paper we have analysed an anonymous wireless authentication and
conference key distribution scheme which is also designed to provide mobile
participants with user identiﬁcation privacy during the conference call. We
show that all the proposed protocols suﬀer from signiﬁcant security vulner-
abilities.
References
[1] S.-J. Wang. Anonymous wireless authentication on a portable cellular
mobile system. IEEE Transactions on Computers, 53(10):1317–1329,
2004.
[2] A. W. Dent and C. J. Mitchell. User’s Guide to Cryptography and Stan-
dards. Artech House, 2005.
9